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Abstract: We present a secure network communication system that 
operated with decoy-state quantum cryptography in a real-world application 
scenario. The full key exchange and application protocols were performed 
in real time among three nodes, in which two adjacent nodes were con- 
nected by approximate 20 km of commercial telecom optical fiber The 
generated quantum keys were immediately employed and demonstrated 
for communication applications, including unbreakable real-time voice 
telephone between any two of the three communication nodes, or a broad- 
cast from one node to the other two nodes by using one-time pad encryption. 
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1. Introduction 

Quantum cryptography can in principle offer the first provable unconditional security between 
communication parties, which is guaranteed by fundamental laws of quantum mechanics, rather 
than unproven computational assumptions. The last two decades have witnessed dramatic ad- 
vances in both theoretical developments and successful experimental demonstration of quantum 
cryptography systems, see, e.g., H] |2] E] ID |5] IS El El HI HO) to name a few of them. Based on 
these attractive progresses, several companies (such as IdQuantique, MagiQ and SmartQuan- 
tum) have commercially developed quantum cryptography prototypes, which bring quantum 
cryptography into practical applications by integrating with current encryption and decryption 
techniques. In practice, however, the security of a specific setup is not automatically ensured 
due to various imperfections. Most of today's commercially available quantum cryptography 
systems rely on photon sources from attenuated laser pulses, which forms a tremendous secu- 
rity threaten for such systems. This is because weak coherent pulse sources contain two or more 
photons per pulse with a non-vanishing probability, leaving the systems susceptible a beam 
splitter attack from a formidable eavesdropper. The photon number splitting attack is in fact the 
main security threat of practical QKD schemes lfTTl[T2l . Rigorous security analysis on practi- 
cal quantum key distribution (QKD) system is proposed by Gottesman-Lo-Liitkenhaus-Preskill 
IIT3I . and Inamori-Liitkenhaus-Mayers |[l4l . However, the results are not optimal, which can 
guarantee only a very limited key generation rates and distances for a practical quantum cryp- 
tography system. 

Recent revolutionary progress has been achieved by introducing the idea of decoy state ifTSll . 
and by turning the idea into systematical and rigorous theory and scheme in 1161 and ifTTl . 
By using decoy state within the common setup, one can obtain much higher key generation 
rates and longer distances (typically from less than 30 km, to more than 100 km), in the same 
level compared with the case of using true single photon sources ifTTll . This leads to firstly 
successful experimental demonstrations by Lo's group from Canada ifTSi for 15 km, and further 
for 60km [19J. Then implementations for more than 100 km are almost simultaneously realized 
by research groups from China ll20l . America II2TI and Europe ll22l . Also an implementation 
for 25.3 km is achieved by Toshiba's group from UK ||23]| . 

So far most research groups all over the world have put forward QKD links, however, oper- 
ating in a point-to-point mode only, rather than networks with multiple users. This has greatly 
restricted the domain of applicability of quantum cryptography, which enjoys the extremely 
high security standard. Subtle design and appropriate network topology are needed to be ef- 
fectively integrated into existing data networks to achieve a high key generation rate and long 
distance for a secure communication network. 



Phoenix et al. Il24l proposed the idea of passive quantum networks by using passive opti- 
cal components, which can reaHze QKD between one user to any other user in the network. 
Townsend et al. lIZSl demonstrated that QKD is feasible between any user to any other one 
within a passive quantum network. However, photons are split by couplers according to their 
ratio which nevertheless sacrifices greatly the actual key generation rate. By using a network 
controller that actively controls optical switches [26l, the first quantum cryptography network, 
DARPA (The Defense Advanced Research Projects Agency ) quantum network, became oper- 
ational since 2004 ll27ll28l . One node contains an active 2-by-2 optical switch that can be used 
to actively switch between two network topologies. This network currently links the campuses 
of BBN Technologies, Harvard University and Boston University (BU), with distances of ap- 
proximately 10 km for both BBN-Harvard span and BBN-BU span. In 2006 the NIST group 
also demonstrated a three-user active quantum cryptography network with one transmitter us- 
ing optical switches and two receivers, each connected to transmitter by 1 km fiber links 1291 . 
Over 1 Mbps sifted-key rate was claimed to be generated in either link. The European SEC- 
OQC (Secure Communication based on Quantum Cryptography) quantum network ll30l has 
initiated since 2004 and currently claims to have 4 nodes in Vienna city for a fiber ring network 
of approximately 63 km and one additional node which is 85 km far from the ring. It is based 
on the trusted relay paradigm ll30l . It mostly focuses on an architecture allowing integration 
of heterogeneous QKD-link devices. One node with decoy state device is also included in the 
tested network. Recently Chen et al. implemented a four-user quantum cryptography network 
by taking star topology based on wavelength-division multiplexing (WDM) |l3T| . It was built in 
the commercial backbone telecom fiber network in Beijing with the longest length of 42.6 km 
for fibers between two nodes. 

The DARPA network 1271 l28l realized the first quantum cryptography network with 3 node, 
while the European SECOQC quantum network ll30l gives the first implementation of inte- 
grated heterogeneous QKD-link devices. At the mean time, the NIST network ||29l gives very 
high sifted-key rate in a short distance network, while the quantum network in Beijing ||3T1 
gives longest length between two nodes. These progresses are quite significant and represent 
big steps toward a secure QKD network. However, there exist still big gaps from a practical 
quantum cryptograph network. Without using decoy state, a prototype setup cannot achieve 
secure distance of more than 30 km generally lfT7l[T4l with the standard BB84 protocol. The 
implemented DARPA network ll28l . the NIST network ||29l and the network realized in |[3T1 are 
all without using decoy states. Therefore, these network, in fact, either are not secure, or can- 
not accomplish the performance mentioned in their experiments. In addition, the distance for 
secure network communication are quite short, namely, less than 10 km in the case of DARPA 
network and only 1 km for NIST network. 

In this article, we present a three-user network communication system based on decoy-state 
quantum cryptography in a typical application scenario. In the experiment, it is possible to 
create secure quantum keys on demand among USTC (University of Science and Technology 
of China), Binhu, and Xinglin that are located in Hefei city of China. As shown in Fig.[T] the 
USTC node acts as a trusted relay and constitutes a chained QKD architecture together with 
Binhu, and Xinglin. The telecom fiber strand is approximately 20 km for USTC-Binhu while it 
is also approximately 20 km for USTC-Xinglin. The produced keys were directly handed over 
to an application that was used to process real-time voice telephone between any two users of 
the three nodes. We have developed secure communication network system including both the 
QKD link modules and the audio application module based on quantum keys. All of optical, 
electronical controlling, data acquisition and processing system are integrated into one single 
box as a transmitter or a receiver. Successful real-time secret audio communication has been 
performed between any two users of the three nodes with the quantum keys through one-time 




Fig. 1. Chained network arcliitecture of our quantum cryptographiy network. Two sets of 
decoy-state QKD systems are installed for Binhu-USTC link and USTC-Xinglin link, re- 
spectively. The QKD systems have been updated in a large degree to match seamless inte- 
gration with real-time audio communication by using one-time pad encryption, among the 
three nodes. The red dashed line indicates the fiber running out of the map. 



pad encryption 1321 . An interphone has also been accomplished when one implements a secure 
broadcast again by using one-time pad encryption from one node to the other two nodes, or the 
other way around. 

Compared with prior results, we provide a complete, compact, low cost 3-node QKD net- 
work system in a real-life situation. Our motivation and results are three-fold. Firstly we focus 
on a practical QKD network with decoy state. The trusted-relay architecture we used is proved 
to be very practical and is extensively used such as in DARPA network and the SECOQC 
network. It has many advantages fSOl such as feasibility with today's technologies (not rely- 
ing on unavailability of quantum repeater), allowing for longer distance compared with optical 
switch based network etc 1301 . At the mean time, decoy state method can, in a large degree, 
increase the key generation rate with guaranteed unconditional security. Secondly we have fo- 
cused on developing a complete system, with virtues of low cost and compact, reliable and 
integrated components, rather than only an experimental demonstration. This would help to 
bring a commercial QKD network system closer. Thirdly, we focused on real-life application, 
such as real time two-way audio communication and one-way broadcast, by utilizing one-time 
pad encryption and decryption. The pseudo-random numbers are not used in our system as they 
are normally used in a Gigahertz QKD system 1331 , due to lack of a random number genera- 
tors in the Gigahertz level. Rather we use the true random number generators in every place 
for the system, and has achieved practical applications with unconditional security. In addition, 
we use the InGaAs-type detectors with a small volume rather than upconversion l34l [35l or 
superconducting nanowire detectors |9J . The latter two detectors have the advantage of high 
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Fig. 2. Sketch of the experimental setup for one QKD-link. With a random choice of 
measurement basis controlled by the phase modulator at the MZ interferometer in Bob's 
side, Bob has 1/2 probability to have correct basis choice. Both sides can then obtain sifted 
keys after comparison, which are used for further error correction, privacy amplification ac- 
cording to decoy state QKD mechanism. The classical communication channel is realized 
via a standard TCP/IP connection in our setup. Here, IM (PM): intensity (phase) modulator; 
BS: beam splitter; AT: controllable attenuator; SYN: synchronized signal; PC: polarization 
controller; PS: phase shifter; D: single-photon detector; PBS: polarizing beam splitter. 

repetition rate for detection, but with a very large volume. Moreover high background count 
rate is accompanied with the upconversion detector, while superconducting detectors require 
cryogenic cooling. The InGaAs-type detector thus provides an ideal choice for our compact, 
low cost practical QKD network systems. 

2. Experimental setup 

Due to the cuiTently lowest dispersion and attenuation for optical fiber at the telecom wave- 
length, we implement our setup in a real-life situation by using the running fiber network of 
China Netcom Group Corp Ltd. The laser sources in our quantum cryptography system are 
produced from distributed feedback (DFB) diodes with a center wavelength of 1550.12 nm and 
pulse duration of 1 ns. By a random attenuation through a fiber intensity modulator for the 
DFB laser, one thus creates the needed weak coherent signal, decoy pulses and vacuum for this 
quantum cryptography setup. In our system, there is a transmitter box in Binhu and a receiver 
box in Xinglin, while in USTC there are both a transmitter box and a receiver box. Every box 
has integrated full functions for control of QKD hardware, execution of QKD protocol mod- 
ule and seamless interchange with our audio communication application. This design can thus 
constitute two QKD links simultaneously between Binhu and USTC, and between USTC and 
Xinglin. A repetition rate of 4 MHz is used for the laser source. This is because true random 
number generators can only work at this level of rate for a commercially available product. We 
adopt in this experiment phase encoding method for finishing QKD tasks. 

For key generation, in transmitter's side the photon pulse is firstly sent to an time division 
fiber Mach-Zehnder (MZ) interferometer with the long arm through a phase modulator to gen- 
erate the four primary signal states necessary for implementing the BB84 |lj protocol of a 
QKD system. Here we use the polarizing beam splitters and beam splitters in both Alice's and 
Bob's sides, such that photons from Alice's short arm are directed into Bob's long arm and vice 
versa Q. This would avoid a 3dB loss for useful photons in the normal case of Mach-Zehnder 
(MZ) interferometers where only beam splitters are used. By using an attenuator through suit- 
able attenuation, one can control the photon number intensity to be 0.65 /pulse for signal states, 
and 0.08/pulse for decoy states for USTC-Xinglin link, while they are 0.60/pulse for signal 
states, and 0.20/pulse for decoy states for Binhu-USTC link. A synchronization laser pulse 
at the wavelength of 1310 nm was then combined with the signal and decoy states, through 



a wavelength division multiplexing (WDM) apparatus, into the installed single-mode telecom 
fiber for transmission. After passing through the 20 km long dark fiber, at receiver's side the 
synchronization information encoded in the fiber is firstly read out through another WDM appa- 
ratus. Finally a clock signal synchronized with transmitter is formed, which will further control 
correspondingly the measurement basis choice for the phase modulator located in the unbal- 
anced fiber MZ interferometer in receiver's side. In addition, this synchronization clock signal 
will also act as the gate control signal for the InGaAs-type detectors DO and Dl. The whole 
synchronization electronics, detection logic and signal acquisition are all integrated in a single 
board by using a field programmable gate array (FPGA) and running at a sampling frequency 
of 4 MHz. The detectors are running in gating mode while the gate width is set to be 2 ns to 
match our laser source. For our detectors, the "after pulse" will generally increase the error rate 
of the raw key. The after pulse probability for the detectors used in our setup will decrease to 
about 8/1000 if we set dead time be lOjXs. This is in the same level of duration for dead time 
if compared with a recent experiment lf36l . in which where a dead time of 30/i5 is used. Thus 
we have set dead time for all detectors be 2Qjj.s, and simultaneously match the detection events. 
The true dark counts rate for the detectors themselves are all about 1 .0 x 10^^/pulse. The meas- 
ured value from vacuum decoy state for dark counts rate Yq is about 1.0 x 10^^/pulse due to 
finite extinction ratio for intensity modulator, affect of the "after pulse" for detectors, and the 
intrinsic dark counts. The detection efficiency for all the detectors are greater than 10%. 

The telecom single mode fiber has an average attenuation of about 0.2 dB per kilometer 
resulting in a total attenuation of 4.5 dB including the connectors for Binhu and USTC span, 
and 5.6 dB for USTC and Xinglin span. To keep the identical and good coherent property 
for photons after propagating along the long distance fiber, a voltage-driven fiber polarization 
controller is used to dynamically adjust polarizations for the transmitted states according to 
total detection rates. This active compensation technique finally urges that photons from Alice's 
short arm are directed into Bob's long arm and vice versa. To remove system's intrinsic phase 
fluctuation in the MZ interferometers at both sides, we have used a phase shifter to compensate 
the phase difference dynamically. This is accomplished by implementing a feedback control 
to stabilize the phase. Specifically we have inserted another pulsed laser (not shown in Fig.|2]i 
with the same central wavelength of 1550.12 nm as a reference during the idle gap between two 
signal pulses, and making continuous active control of the MZ interferometer arm lengths. 

For satisfying the necessary requirements for decoy state QKD system, we used true random 
number generators produced by IdQuantique (type; Quantis-OEM, which has passed the NIST 
and Diehard randomness tests). These random number generators are integrated in our con- 
trolling electronics: a) to process random attenuation of laser source for producing signal and 
decoy states; b) to load in the phase modulator in transmitter's side for generating the needed 
four possible states for QKD system; and c) to load in the phase modulator in receiver's side 
for forming the needed two possible measurement basis for QKD system. 

3. Secure key generation and applications 

In this section, we present typical characters supplied by our experimental network commu- 
nication system. Besides the transmission loss in the fiber, there are also other coupling and 
connection losses, in particular an approximate 3.5 dB due to the inserting loss for the polar- 
ization maintaining fiber in receiver's side. The BB84 protocol contributes an additional 3 dB 
loss because there are only roughly one half of received photons encoding correct information. 
It should be remarked that this loss can be avoided if one uses an asymmetric basis choice for 
Alice and Bob 1371 . Our setting for the proportion of three transmitted states is 6 : 1 : 1 among 
the signal state, decoy state and vacuum state. 

Before demonstrating our audio application among the three nodes, we have run and meas- 



ured the average specifications that our system can achieve. Through a thirty-minute running, 
we have obtained corresponding parameters for the two QKD Hnks, and Hsted all the related 
measurement and processing results in Table 1 . The sifted key rates are archived to be more than 
10.5 kbps for Binhu-USTC link and more than 9.0 kbps for USTC-Xinglin link. The quantum 
bit error rate (QBER) is measured to be about 1.6% for Binhu-USTC link and about 1.4% for 
USTC-Xinglin link. According to the systematical theory of decoy state QKD lfT6l[T7l[38l[39l . 
we have developed a data post-processing unit to finish both error correction and privacy am- 
plification in real time by considering finite key length and statistical fluctuation. For the imple- 
mented algorithms themselves, we are mainly based on the result from the NIST group ||40|, by 
noting that there is no decoy state in the NIST case. Currently we realize the algorithms using 
software, while a FPGA implementation is more preferable in the future for high speed QKD 
links. Consequently we can achieve a final secure key rate of more than 1 .5 kbps for both links. 



Table 1. Measured specification for QKD network system 



hnk 


Communication wavelength 


QBER 


Sifted-key rate 


Final key rate 


Binhu-USTC 


1550. 12nm 


- 1.6% 


> 10.5 kbps 


> 1.6 kbps 


USTC-XingUn 


1550. 12nm 


- 1.4% 


> 9.0 kbps 


> 1.5 kbps 



We obtain the following key generation rate by using the result of lfT3l [TTl 

R > q{-Q^f{E^)H2{E^) + Q,[\ -//2(ei)]}, (1) 

where the subscript pi is the average photon number per signal in signal states; and are 
the measured gain and the quantum bit error rate (QBER) for signal states, respectively; q is an 
efficiency factor for the protocol. Q\ and e\ are the unknown gain and the error rate of the true 
single photon state in signal states. To achieve maximum possible key generation rate, the decoy 
state method can estimate the lower bound of Q\ denoting as Q\, and the upper bound of e\ 
denoting as . Thus the decoy approaches could provide an unconditional security lfT6llT7l for 
QKD systems. We follow here the method developed in ||39l[T9l to estimate good bounds for Q\ 
and e \ , and using the stronger version for maximizing the key generation rate formula developed 
in IfTSlfTTl . The H2{x) is the binary entropy function: H2{x) = — xlog2(jc) — (1 — ji:)log2(l —x), 
while the factor f{x) is for considering an efficiency of the bi-directional error correction BTl . 
For convenience, we denote v the average photon number per pulse for decoy state. 

After experimentally measuring all the relevant parameters, we can input the following 
bounds for calculating final key generation rate 1391 [191 
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Here A^v. ™d A^o are numbers of pulses used as decoy state and vacuum state, respectively, 
while Qv is the measured gain for the decoy states. 

All the relevant parameters are listed in Table |2] for a typical running duration of 120s 
for USTC-Xinglin link in our experiment. From Table (|2]i, we see a final key rate of around 

Table 2. Measured and derived specification for decoy state system 



Para. 


Value 




Para. 


Value 




Q, 


6.36 X 10- 


-i 




1.44 X 10- 


-2 


Qv 


8.61 X 10- 


-4 


Ey 


7.84 X 10- 


-2 


Q\ 


2.72 X 10- 


-3 




2.23 X 10- 


-2 


R 


4.10 X 10- 


-4 


q 


0.356 





4M*i? = 1 .7kbps is obtained for the typical running of our system. For achieving unconditional 
security, we have estimated the bounds for Q\ and e\ by considering the statistical fluctuations 
for vacuum states, gains for signal states and decoy states within 10 standard deviations. Thus 
the final keys rates is valid for finite key length and promises a confidence interval of about 
1 — 1 .5 X 10^^^. We have performed privacy amplification by utilizing the universal2 functions 
that are represented by Toeplitz matrices B2ll . This finally improves both the efficiency and 
speed in a large degree for privacy amplification, compared with the case that using purely 
random matrices. It should be remarked that, to our knowledge, this is the first implementation 
for both the error correction and privacy amplification, by considering statistical fluctuation for 
decoy state quantum key distribution in a real-life application. There is actually a tradeoff be- 
tween key generation rate and efficiency for privacy amplification. In our case we choose 120s 
communication time for one time of executing privacy amplification for corrected raw keys. 
One could certainly get faster realization for privacy amplification for shorter communication 
time, then one is left with bigger statistical fluctuation and thus less key generation rate. 

We have accumulated a final key of about 120Mbits and performed the NIST 800-22 ran- 
domness test suite f43l. The sequence has passed all the test for a significance level of 0.8%, 
with the minimum pass rate for each statistical test of 95%. Also the Diehard statistical test 
suite ll44l is performed. The reported /7-value for the test are all between 0.009 and 0.989. Thus 
there is very high confidence of 98.9% that our final keys are truly random. With sufficient large 
data of keys, we hope to perform more extensive random test for our system in the future. 

Based on these results, we have developed telephony terminal equipments through the nor- 
mal analog commercial cable for telephony. The terminal has an ability to make one-time pad 
encryption and decryption based on our QKD links, to process common voice telephone. The 
audio compression ratio has arrived 0.6 kbps. In fact, our system can offer more than 1 .2 kbps, 
which is two times the keys needed for a one-way communication. Thus our system can of- 
fer directly two-way telephony communication in real time. We have run the system for quite 
a few minutes, and always get clear audio signal transmission with a good quality. After one 
hour's continuous running, we still found no decrease of voice quality, which shows that our 
setup provides a very stable and robust secure network communication system. In fact, we have 
tested the whole system for half a month in USTC for a telecom fiber of 20 km. There is no any 
problem for the secure audio communication system. 

An interphone system is further developed in our experiment, which provides a broadcast of 
ciphered information from one user to any other two users with one-time pad encryption. Still 
using about a quantity of 0.6 kbps keys, we have successfully tested and finished broadcasts 
based on our telephony system, from any one of the Binhu, USTC and Xinglin nodes to any 
other two nodes. If we need feedbacks from the other two nodes, it is not temporarily possible 
for aU the nodes due to the limited key generation rates. It is clear that it would need 1.2 x 



(A^ — 1 ) kbps quantum keys to process this task and to make all the two-way communications 
simultaneously for nodes. 

4. Conclusion 

In summary, the experiment reported here demonstrates an operational network communication 
system, which allows real-time voice telephone between any two of the three communication 
users, or a broadcast from one user to the other two users by using one-time pad encryption. The 
chained network topology allows secret keys to be forwarded, in a hop-by-hop fashion, along 
QKD links. Therefore unconditional authentication and encryption for information transmis- 
sion by using one-time pad will become possible. The middle node acts as trusted relays and 
increases the key generation rate in a large degree, compared with the case of direct connection 
between the nodes with an exponential decreasing. Our setup can be easily expanded to many- 
node network, and enjoys an advantage of slowly increasing for key's need. Near future work 
would cover improving the key generation rates, by employing high performance detectors and 
high-speed true random number generators etc. We expect that it would be possible to finish 
two-way audio communications in real time for QKD network with a few nodes. In the case that 
the key rates is not enough for video conference with one-time pad encryption, we expect to 
use classical symmetrical encryption algorithm such as AES (Advanced Encryption Standard) 
with a high refreshing rate of keys, and maintain a desired security level. 
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